CVE-2026-2950 PUBLISHED

lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`

Assigner: openjs
Reserved: 21.02.2026 Published: 31.03.2026 Updated: 01.04.2026

Impact:

Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the .unset and .omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.

The issue permits deletion of prototype properties but does not allow overwriting their original behavior.

Patches:

This issue is patched in 4.18.0.

Workarounds:

None. Upgrade to the patched version.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
CVSS Score: 6.5

Product Status

Vendor lodash
Product lodash
Versions Default: unaffected
  • affected from 4.17.23 to 4.18.0 (excl.)
  • Version 4.18.0 is unaffected
Vendor lodash
Product lodash-es
Versions Default: unaffected
  • affected from 4.17.23 to 4.18.0 (excl.)
  • Version 4.18.0 is unaffected
Vendor lodash
Product lodash-amd
Versions Default: unaffected
  • affected from 4.17.23 to 4.18.0 (excl.)
  • Version 4.18.0 is unaffected
Vendor lodash
Product lodash.unset
Versions Default: unaffected
  • affected from 4.0.0 to 4.18.0 (excl.)
  • Version 4.18.0 is unaffected

Credits

  • Haruna38 reporter
  • shpik-kr finder
  • maru1009 finder
  • ott3r07 finder
  • zolbooo finder
  • backuardo finder
  • falsyvalues remediation developer
  • jonchurch remediation developer
  • jdalton analyst
  • UlisesGascon remediation reviewer

References

Problem Types

  • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') CWE